Your Instagram Photos Are Leaking


Your phone's Wi-Fi is leaking. It's telling Kyle McDonald, and people like him, where you've been. It might be telling him where you live and where you work, where you go to school, and what websites you're visiting. And although you've probably been blissfully unaware of all this, he's going to throw this data up on a big screen for all to see at this year's Moogfest.

"Sometimes, I just kind of check out what people around me are doing," said McDonald, a programmer and multimedia artist. "Sometimes that means knowing what websites they're on, but with non-HTTPS websites, you can also see what pages they're looking at."

Your phone's greatest Wi-Fi weakness is in the "probe request frame," which checks to see if a local Wi-Fi network is one your device already knows about, McDonald said. That often contains a list of past networks the phone has connected to, and because a lot of networks have informative names, it can reveal where you spend your time, he said.

Beyond that, if you're on an unsecured network, your Web page requests go out in the open, although if you're lucky, the pages themselves will be encrypted.

"My research indicates that Instagram sends photos over the air unencrypted. Just this evening,  I did a 'quick sniff' of myself scrolling through Instagram,"  McDonald said.

While Instagram uses secure HTTPS for API calls, security research has shown that photo URLs are unencrypted. The company is currently working on switching photo URLs to HTTPS, which would foil eavesdroppers in that particular case. But there's still a lot of data your phone will be leaking.

Who's Watching You?
You're probably not being surveilled by another patron at Starbucks, unless you're unlucky enough to be drinking coffee near McDonald. But "it's absolutely certain that everybody is being surveilled all the time" by some entity, he said. (That could be network managers, ISPs, wireless carriers, or the government, for instance.)

He also pointed out other ways Wi-Fi leakage can be used without your permission: there's a company called Nomi that uses your phone's Wi-Fi to track your location in a store, without telling customers they're being tracked. Nomi settled with the FTC last year about not offering a promised opt-out in stores using its system, although it still doesn't promise it will tell you if you're being sniffed.

"It's worth bothering about if you care about being yourself," McDonald said. "It's kind of hard to go back to not caring about this. When you know you're leaking data, you act differently and you present yourself differently."

At their Moogfest installation called "The Wi-Fi Whisperer," McDonald and Surya Mattu will be collecting data from everyone on the public Wi-Fi network, as well as anyone who passes by the installation. A speaker will whisper key tidbits, such as "an Instagram image is being downloaded right now," and four monitors will run Google searches based on the data, showing how easy it is to connect it to personal information. On an associated website, McDonald will ask poll questions based on data from participants who have agreed to share it: "do they seem dangerous? Are they a dog person? Do they own a car?"

McDonald's past projects have often involved crowdsourcing and social networking, and he's borrowing some ideas here from his last project (shown above), which crowdsourced annotations of 12 hours of video. Here, he's using the crowd to choose what the sniffed information "means."

So how do you protect yourself? Apple devices are somewhat better than Android 5 devices at probe request privacy, according to a paper from Xerox PARC. The jury seems to still be out on Android 6. Turn off your Wi-Fi unless you really need it, McDonald says. Don't connect to networks that don't require a password. And if you're still worried, install a VPN (virtual private network) on your phone. We have a rundown of the Best VPN Services showing which ones have mobile clients.

Cellular networks are much harder to sniff, although of course the NSA can look at pretty much any network it wants to, McDonald said.

PCMag is a sponsor of Moogfest, running from May 19-22 in Durham, NC. Buy tickets here. Wi-Fi Whisperer may appear at other festivals, McDonald said.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Google's Paris Office Raided In Tax Investigation

    For Google, the raid may evoke a sense of deja vu: French tax authorities previously raided Google's Paris office in June 2011.The Financial Times reported that Google paid €5m in corporate tax in France in 2014, a mere 2% of its €225.
  • 5300c769af79e

    Spending some facetime with Duo, Google's ultra-simple new video chat app

    It seems like ages ago that Google took the wraps off Duo, a video chat app for Android that eschews bells and whistles for a bare bones, FaceTime-like focus on person-to-person video.It quickly becomes apparent that with Duo, Google wanted to do one thing — video — exceptionally well.
  • 5300c769af79e

    Samsung Gear 360 to Release April 29 in Select Countries, No Pricing Yet

    For those looking to get into a bit of VR content creation, Samsung announced during this morning’s keynote presentation at the Samsung Developers Conference, the Gear 360 camera will go on sale beginning April 29 in select countries.Oddly enough, with that date being only two days away, Samsung gave no specifics as to which countries would be able to purchase it.
  • 5300c769af79e

    10 SaaS Startups Every Enterprise Should Know

    Often thought of as a small-business tool, Software-as-a-Service offers plenty of potential for large enterprise customers, as evidenced by the 10 startups we're exploring here.Our list includes SaaS applications for big organizational challenges, such as supply-chain, payroll, sales, recruiting, and company-wide collaboration.